All Products
Search

This Product

    Resource Orchestration Service:Use resource groups for fine-grained resource control

    Document Center

    Resource Orchestration Service:Use resource groups for fine-grained resource control

    Last Updated:Apr 23, 2026

    When you use resource groups to manage resources, you can use them with RAM to isolate resources and manage fine-grained permissions within a single Alibaba Cloud account. This topic describes how ROS supports resource groups and explains how to grant permissions at the resource group level.

    Note

    How resource group authorization works

    You can use a resource group to organize resources within your Alibaba Cloud account. For example, you can create a separate resource group for each project and move resources into their corresponding groups for centralized management. For more information, see What is a resource group?.

    After organizing your resources, you can grant different RAM principals, such as a RAM user, RAM user group, or RAM role, permissions scoped to a specific resource group. This ensures that the principal can manage only the resources within that group. For more information, see Resource grouping and authorization.

    This approach has the following benefits:

    • Fine-grained permissions: Ensures each principal has only the permissions required to access resources, preventing the commingling of resources from different projects within the same account.

    • Scalability: When you add new resources to a resource group, the RAM principal automatically gains the required permissions for these new resources, so you do not need to grant them again.

    Grant resource group-level permissions to a RAM user

    The following steps describe how to grant a RAM user permissions to manage ROS resources within a specific resource group.

    1. Prerequisites

    1. Create a RAM user. For more information, see Create a RAM user.

    2. Create a resource group and move your existing resources to the target resource group. For more information, see Create a resource group, Automatically move resources to a resource group, and Manually move resources to a resource group.

    2. Grant resource group-level permissions

    You can use either of the following methods to grant permissions at the resource group level.

    Method 1: Resource Management console

    Use the permission management feature of resource groups to grant permissions to a specific RAM user. For more information, see Grant permissions on a resource group to a RAM identity.

    • Log on to the Resource Management console.

    • On the resource group page, find the target resource group and click Permissions in the Actions column.

    • On the Permissions tab, click Grant Permission.

    • In the Grant Permission panel, configure the principal and policy.

      • Principal: Select an existing RAM user.

      • Policy: Select a system policy or a custom policy that you have created. For more information, see Create a custom policy.

    • Click OK.

    Method 2: RAM console

    Grant permissions to a specific RAM user at the resource group level in the RAM console. For more information, see Manage RAM user permissions.

    • Use your Alibaba Cloud account or a RAM administrator to log on to the RAM console.

    • In the left-side navigation pane, choose Identities > Users. On the Users page, find the target RAM user and click Add Permissions in the Actions column.

    • In the Add Permissions panel, grant permissions to the RAM user.

      • Authorized Scope: Select Resource Group.

      • Principal: Select an existing RAM user or the one you created in the prerequisites.

      • Policy: Select a system policy or a custom policy that you have created. For more information, see Create a custom policy.

    • Click OK.

    Supported ROS resource types

    The following table lists the ROS resource types that support resource groups.

    Cloud service

    Cloud service code

    Resource type

    ROS

    ros

    stack : stack

    ROS

    ros

    stackgroup : stack group

    ROS

    ros

    template : template

    ROS

    ros

    templatescratch : template scratch
    Note

    If a resource type you need does not support resource groups, you can submit feedback in the Resource Management console.

    image

    Actions without resource group-level authorization

    The following ROS actions do not support resource group-level authorization:

    Action

    Description

    ros:ChatROS

    -

    ros:CompareTemplates

    -

    ros:CreateAITask

    Creates an AI task to run a specific automated workflow, such as generating or fixing a template, or deploying a stack.

    ros:CreateDiagnostic

    Creates a task for one-click diagnostics.

    ros:DeleteDiagnostic

    Deletes a diagnostic record.

    ros:DeregisterResourceType

    Deletes a resource type or a specific version of a resource type.

    ros:DescribeStacks

    -

    ros:DisableServiceAccess

    -

    ros:EnableServiceAccess

    Enables trusted service access.

    ros:EnableServices

    Enables multiple services at once.

    ros:GetAITask

    Queries the details of an AI task by its ID.

    ros:GetDiagnostic

    Queries the details of a diagnostic report by its ID.

    ros:GetResourceType

    Queries the details of a specified resource type.

    ros:GetResourceTypeRecommendedTemplate

    -

    ros:GetResourceTypeTemplate

    Generates a sample template based on a resource type.

    ros:GetServiceAccess

    Queries trusted services.

    ros:GetSession

    -

    ros:ListAITaskEvents

    Queries the events of an AI task.

    ros:ListAITasks

    Queries a list of AI tasks.

    ros:ListChatMessages

    -

    ros:ListChatSessions

    -

    ros:ListDiagnostics

    Queries a list of diagnostics.

    ros:ListPrivateTemplates

    -

    ros:ListResourceTypeRegistrations

    Queries a list of resource registration records.

    ros:ListResourceTypeVersions

    Queries a list of resource type versions, including those created by you and those provided by ROS.

    ros:ListResourceTypes

    Queries a list of supported resource types.

    ros:ListSessions

    -

    ros:ListSummaries

    Queries overviews.

    ros:ListTagKeys

    Queries the tag keys of stacks or templates in an Alibaba Cloud region.

    ros:ListTagValues

    Queries the tag values for a specified tag key of a template or stack in an Alibaba Cloud region.

    ros:OpsSetResourceTypeVersion

    -

    ros:RegisterResourceType

    Creates a resource type or adds a new version to an existing one.

    ros:SetResourceType

    Modifies the description of a resource type or a specific version of a resource type.

    ros:StartChat

    -

    ros:ValidateTemplate

    -

    For actions that do not support resource group-level authorization, selecting Resource Group as the authorized scope is ineffective. To grant these permissions to a RAM user, you must create a custom policy and select Account as the authorized scope.

    image.pngHere are two examples of custom policies. You can adjust the policy content as needed.

    • Allows all read-only actions that do not support resource group-level authorization: The Action element lists all read-only actions that do not support resource group-level authorization.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ros:DescribeStacks",
        "ros:GetAITask",
        "ros:GetDiagnostic",
        "ros:GetResourceType",
        "ros:GetResourceTypeRecommendedTemplate",
        "ros:GetResourceTypeTemplate",
        "ros:GetServiceAccess",
        "ros:GetSession",
        "ros:ListAITaskEvents",
        "ros:ListAITasks",
        "ros:ListChatMessages",
        "ros:ListChatSessions",
        "ros:ListDiagnostics",
        "ros:ListPrivateTemplates",
        "ros:ListResourceTypeRegistrations",
        "ros:ListResourceTypeVersions",
        "ros:ListResourceTypes",
        "ros:ListSessions",
        "ros:ListSummaries",
        "ros:ListTagKeys",
        "ros:ListTagValues",
        "ros:ValidateTemplate"
      ],
      "Resource": "*"
    }
  ]
}

    • Allows all actions that do not support resource group-level authorization: The Action element lists all actions that do not support resource group-level authorization.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ros:ChatROS",
        "ros:CompareTemplates",
        "ros:CreateAITask",
        "ros:CreateDiagnostic",
        "ros:DeleteDiagnostic",
        "ros:DeregisterResourceType",
        "ros:DescribeStacks",
        "ros:DisableServiceAccess",
        "ros:EnableServiceAccess",
        "ros:EnableServices",
        "ros:GetAITask",
        "ros:GetDiagnostic",
        "ros:GetResourceType",
        "ros:GetResourceTypeRecommendedTemplate",
        "ros:GetResourceTypeTemplate",
        "ros:GetServiceAccess",
        "ros:GetSession",
        "ros:ListAITaskEvents",
        "ros:ListAITasks",
        "ros:ListChatMessages",
        "ros:ListChatSessions",
        "ros:ListDiagnostics",
        "ros:ListPrivateTemplates",
        "ros:ListResourceTypeRegistrations",
        "ros:ListResourceTypeVersions",
        "ros:ListResourceTypes",
        "ros:ListSessions",
        "ros:ListSummaries",
        "ros:ListTagKeys",
        "ros:ListTagValues",
        "ros:OpsSetResourceTypeVersion",
        "ros:RegisterResourceType",
        "ros:SetResourceType",
        "ros:StartChat",
        "ros:ValidateTemplate"
      ],
      "Resource": "*"
    }
  ]
}
    Important

    A RAM user or RAM role with account-level permissions can operate on all resources in the account. Always follow the principle of least privilege. Before you grant permissions, ensure that they are necessary and align with your security requirements.

    FAQ

    View a resource's resource group

    • Method 1: Click the resource name to open its details page. The resource group is displayed on this page.

    • Method 2: Log on to the Resource Management console. In the left-side navigation pane, click resource center > Resource Search. In the pane on the left, select the account to which the resource belongs (the Current Account is selected by default). Use the filter conditions to find the resource and view its resource group.

    View product resources in a resource group

    • Method 1: Log on to the Resource Management console. In the left-side navigation pane, click resource center > Resource Search. In the account list on the left (the Current Account is selected by default), click the target resource group. Then, in the Select Resource Type drop-down list, select the product to view its resources within that group.

    • Method 2: Log on to the Resource Management console. In the left-side navigation pane, choose Resource Groups > Resource Groups. Find the target resource group and click Manage Resources in the Actions column. On the Manage Resources page, select the product from the Product drop-down list to view its resources in that group.

    Move resources to another resource group

    Log on to the Resource Management console. In the left-side navigation pane, choose Resource Groups > Resource Groups. In the Actions column for the target resource group, click Manage Resources. On the resulting page, use filters to locate the resources that you want to move. Select the checkbox for each target resource, click Transfer Resource Group at the bottom of the page, and then follow the on-screen instructions.